XbowCriticalHighFindings
| Id | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678 |
| Rulename | XbowCriticalHighFindings |
| Description | Creates an incident for each Critical or High severity finding reported by XBOW that is currently in an open state. These findings represent the most severe security issues and require immediate attention. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents. |
| Severity | High |
| Tactics | InitialAccess Execution PrivilegeEscalation DefenseEvasion Impact |
| Techniques | T1190 |
| Required data connectors | XbowSecurityConnector |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml |
| Version | 1.0.0 |
| Arm template | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678.json |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByCustomDetails:
- FindingId
matchingMethod: Selected
groupByAlertDetails: []
groupByEntities: []
lookbackDuration: 24h
enabled: true
reopenClosedIncident: false
requiredDataConnectors:
- dataTypes:
- XbowFindings_CL
- XbowAssets_CL
connectorId: XbowSecurityConnector
relevantTechniques:
- T1190
triggerOperator: gt
customDetails:
State: State
CreatedAt: CreatedAt
Mitigations: Mitigations
AssetName: AssetName
FindingId: FindingId
FindingName: FindingName
AssetId: AssetId
OrganizationId: OrganizationId
Severity: Severity
queryFrequency: 30m
severity: High
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: StartUrl
identifier: Url
entityType: URL
alertDetailsOverride:
alertDescriptionFormat: '{{Severity}} severity finding on {{AssetName}}. {{Summary}}'
alertDisplayNameFormat: 'XBOW {{Severity}}: {{FindingName}}'
name: XbowCriticalHighFindings
query: |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
version: 1.0.0
tactics:
- InitialAccess
- Execution
- PrivilegeEscalation
- DefenseEvasion
- Impact
queryPeriod: 1h
description: |
Creates an incident for each Critical or High severity finding reported by XBOW that
is currently in an open state. These findings represent the most severe security issues
and require immediate attention. Each alert is deduplicated per finding so re-ingestion
of the same finding does not produce duplicate incidents.
kind: Scheduled
id: f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available